• PDF / 1,207,185 Bytes
• 15 Pages / 439.37 x 666.142 pts Page_size
• 67 Downloads / 219 Views

DOWNLOAD

REPORT

Abstract. DevOps is becoming one of the most popular software development methodologies, especially for cloud-based applications. In spite of its popularity, it is still difficult to integrate non-functional requirements, such as security, in the full application development life-cycle. In some recent works, security DevOps (or SecDevOps) has been introduced, in order to enable the adoption of Security-by-Design principles in DevOps processes. In [4], a novel SecDevOps methodology was proposed to exploit such integration, but the security assessment and testing were performed with a static approach. In this paper, we propose to extend the SecDevOps methodology with the adoption of a novel security testing technique in order to dynamically test security properties in the operational phase, too. In order to validate the proposed approach, a cloud application case study involving the WordPress software module is presented and analyzed.

Keywords: Secure development methodologies applications · Security testing

1

· Secure cloud

Introduction

DevOps methodologies are becoming very popular, especially in the development of cloud-based applications but, in spite of their wide adoption, they are hardly integrated with security design methodologies. The term SecDevOps, or Security DevOps, has recently appeared in the researchers and developers communities, but the management of security in a DevOps life cycle is still hard due to the lack of automatic tools to evaluate and assess security in both the design and the operation phases. In [4], authors introduced a novel Security-by-Design development methodology for cloud applications providing automated mechanisms to support developers in the security-related analysis, design and assessment phases of the development process. Secure by design, in software engineering, means that “the software has been designed from the foundation to be secure. At this aim, the alternate c Springer Nature Switzerland AG 2020  M. Shepperd et al. (Eds.): QUATIC 2020, CCIS 1266, pp. 317–331, 2020. https://doi.org/10.1007/978-3-030-58793-2_26

318

V. Casola et al.

security tactics and patterns are first thought and, among them, the best are selected and enforced by the application designer, and then used as guiding principles for developers” [16]. The approach proposed in [4] used models and quantitative metrics to enable the Security-by-Design approach and help developers take secure-informed choices. Moreover, authors showed that it was easy to be adopted by DevOps teams (mainly developers and tester, not security experts) and that it could be easily integrated within common agile methodologies (e.g. SCRUM). Despite its potential, however, that methodology presents some limitation: in fact, it is meant to support developers during the design and deployment phases of a secure application, enabling to perform only a preliminary security assessment, which does not take into account possible security issues that may arise after deployment. In order to ensure that the designed security features ar

Recommend Documents

Performance Testing Methodology Standardization

190 83 2MB

Application of a General Methodology to Analyze Strain Data Obtained from Accelerated Pavement Testing

173 68 167MB

LTTC: A Load Testing Tool for Cloud

177 74 271KB

Research Design and Methodology

177 65 5MB

Research Design and Methodology

180 13 14MB

From Manual to Automated Testing

199 39 10MB

Research Design and Methodology

215 46 7MB

Data Warehouse Design Methodology

204 68 2MB

Cloud Application Modernization and Migration Methodology

170 93 254KB

From Methodology to Methods in Human Psychology

142 94 3MB

Cloud Mobile Networks From RAN to EPC

187 34 3MB

Design Ethnography Epistemology and Methodology

170 29 2MB